@@ -70,6 +70,9 @@ current user's branch." = Examples +A fully functional example application can be found at +http://github.com/stffn/decl_auth_demo_app + == Controller If authentication is in place, enabling user-specific access control may be README.rdoc @@ -110,13 +110,6 @@ module Authorization # find a authorization rule that matches for at least one of the roles and # at least one of the given privileges attr_validator = AttributeValidator.new(self, user, options[:object]) - #puts "All rules: #{@auth_rules.inspect}" - #rules_matching_roles = @auth_rules.select {|r| roles.include?(r.role) } - #puts "Matching for roles: #{rules_matching_roles.inspect}" - #puts "Matching rules for user #{user.inspect}," - #puts " roles #{roles.inspect}," - #puts " privs #{privileges.inspect}:" - #puts " #{matching_auth_rules(roles, privileges).inspect}" rules = matching_auth_rules(roles, privileges, options[:context]) if rules.empty? raise NotAuthorized, "No matching rules found for #{privilege} for #{user.inspect} " + @@ -336,10 +329,16 @@ module Authorization case value[0] when :is attr_value == evaluated + when :is_not + attr_value != evaluated when :contains attr_value.include?(evaluated) + when :does_not_contain + !attr_value.include?(evaluated) when :is_in evaluated.include?(attr_value) + when :is_not_in + !evaluated.include?(attr_value) else raise AuthorizationError, "Unknown operator #{value[0]}" end lib/authorization.rb @@ -7,22 +7,31 @@ module Authorization # constructs a data model of its contents. # # For examples and the modelled data model, see the - # README[link:files/README.html]. + # README[link:files/README_rdoc.html]. # - # Also, see + # Also, see role definition methods # * AuthorizationRulesReader#role, # * AuthorizationRulesReader#includes, # * AuthorizationRulesReader#title, - # * AuthorizationRulesReader#description, + # * AuthorizationRulesReader#description + # + # Methods for rule definition in roles # * AuthorizationRulesReader#has_permission_on, # * AuthorizationRulesReader#to, # * AuthorizationRulesReader#if_attribute, - # * AuthorizationRulesReader#if_permitted_to, + # * AuthorizationRulesReader#if_permitted_to + # + # Methods to be used in if_attribute statements # * AuthorizationRulesReader#contains, + # * AuthorizationRulesReader#does_not_contain, # * AuthorizationRulesReader#is, - # * PrivilegesReader#privilege and + # * AuthorizationRulesReader#is_not, + # * AuthorizationRulesReader#is_in, + # * AuthorizationRulesReader#is_not_in + # + # And privilege definition methods + # * PrivilegesReader#privilege, # * PrivilegesReader#includes - # for details. # module Reader # Signals errors that occur while reading and parsing an authorization DSL @@ -326,19 +335,29 @@ module Authorization attr_or_hash, options[:context]) end - # In an if_attribute statement, is says that the value has to be exactly - # met by the if_attribute attribute. For information on the block + # In an if_attribute statement, is says that the value has to be + # met exactly by the if_attribute attribute. For information on the block # argument, see if_attribute. def is (&block) [:is, block] end - + + # The negation of is. + def is_not (&block) + [:is_not, block] + end + # In an if_attribute statement, contains says that the value has to be # part of the collection specified by the if_attribute attribute. # For information on the block argument, see if_attribute. def contains (&block) [:contains, block] end + + # The negation of contains. + def does_not_contain (&block) + [:does_not_contain, block] + end # In an if_attribute statement, is_in says that the value has to # contain the attribute value. @@ -346,6 +365,11 @@ module Authorization def is_in (&block) [:is_in, block] end + + # The negation of is_in. + def is_not_in (&block) + [:is_not_in, block] + end private def parse_attribute_conditions_hash! (hash) lib/reader.rb @@ -286,6 +286,26 @@ class AuthorizationTest < Test::Unit::TestCase :user => MockUser.new(:test_role, :test_attr => 2), :object => MockDataObject.new(:test_attr => 1))))) end + + def test_attribute_is_not + reader = Authorization::Reader::DSLReader.new + reader.parse %| + authorization do + role :test_role do + has_permission_on :permissions, :to => :test do + if_attribute :test_attr => is_not { user.test_attr } + end + end + end + | + engine = Authorization::Engine.new(reader) + assert !engine.permit?(:test, :context => :permissions, + :user => MockUser.new(:test_role, :test_attr => 1), + :object => MockDataObject.new(:test_attr => 1)) + assert engine.permit?(:test, :context => :permissions, + :user => MockUser.new(:test_role, :test_attr => 2), + :object => MockDataObject.new(:test_attr => 1)) + end def test_attribute_contains reader = Authorization::Reader::DSLReader.new @@ -306,6 +326,26 @@ class AuthorizationTest < Test::Unit::TestCase :user => MockUser.new(:test_role, :test_attr => 3), :object => MockDataObject.new(:test_attr => [1,2])) end + + def test_attribute_does_not_contain + reader = Authorization::Reader::DSLReader.new + reader.parse %| + authorization do + role :test_role do + has_permission_on :permissions, :to => :test do + if_attribute :test_attr => does_not_contain { user.test_attr } + end + end + end + | + engine = Authorization::Engine.new(reader) + assert !engine.permit?(:test, :context => :permissions, + :user => MockUser.new(:test_role, :test_attr => 1), + :object => MockDataObject.new(:test_attr => [1,2])) + assert engine.permit?(:test, :context => :permissions, + :user => MockUser.new(:test_role, :test_attr => 3), + :object => MockDataObject.new(:test_attr => [1,2])) + end def test_attribute_in_array reader = Authorization::Reader::DSLReader.new @@ -330,6 +370,26 @@ class AuthorizationTest < Test::Unit::TestCase :user => MockUser.new(:test_role), :object => MockDataObject.new(:test_attr => 4)) end + + def test_attribute_not_in_array + reader = Authorization::Reader::DSLReader.new + reader.parse %| + authorization do + role :test_role do + has_permission_on :permissions, :to => :test do + if_attribute :test_attr => is_not_in { [1,2] } + end + end + end + | + engine = Authorization::Engine.new(reader) + assert !engine.permit?(:test, :context => :permissions, + :user => MockUser.new(:test_role), + :object => MockDataObject.new(:test_attr => 1)) + assert engine.permit?(:test, :context => :permissions, + :user => MockUser.new(:test_role), + :object => MockDataObject.new(:test_attr => 4)) + end def test_attribute_deep reader = Authorization::Reader::DSLReader.new test/authorization_test.rb @@ -84,7 +84,12 @@ class DSLReaderTest < Test::Unit::TestCase authorization do role :test_role do has_permission_on :perms, :to => :test do - if_attribute :test_attr => is { user.test_attr } + if_attribute :test_attr => is { user.test_attr } + if_attribute :test_attr_2 => is_not { user.test_attr } + if_attribute :test_attr_3 => contains { user.test_attr } + if_attribute :test_attr_4 => does_not_contain { user.test_attr } + if_attribute :test_attr_5 => is_in { user.test_attr } + if_attribute :test_attr_5 => is_not_in { user.test_attr } end end end test/dsl_reader_test.rb ed0f9c369f8fb9db19e42f06e3c8fd50bd4f3453 Steffen Bartsch sbartsch@tzi.org http://github.com/stffn/declarative_authorization/commit/651fe2b8f42a0661f6775c1982699e4c75470658 651fe2b8f42a0661f6775c1982699e4c75470658 2009-02-02T11:01:20-08:00 2009-02-02T11:01:20-08:00 New if_attribute operators: is_not, does_not_contain, not_in. 470a4605983d9299b70dd15ee64d3fafcc743a9b Steffen Bartsch sbartsch@tzi.org